Access Test: Basic Biometric Fingerprint Readers
In the world of biometric-based access control, the fingerprint reader is the most common device available for mainstream applications. Typically such readers fall into one of two camps: standalone products or readers designed for integration with full access control solutions. Here, in the first part of a biometric fingerprint reader test, Benchmark looks at devices designed to be used in standalone mode. In next month’s issue, we will look at readers integrated with a full access control system.
Biometric technology is nothing new; it has been available in the security market for decades. When the technology first came to prominence, it was aimed at high-risk applications. There were a few reasons for this: they had the budget for the high-priced devices, they had a requirement for absolute identification and they placed the need for total security above that of convenience and throughput times.
Of the various biometric technologies available, the most common and arguably the most acceptable to users is fingerprint scanning. It is less invasive, or at least perceived to be less invasive, than some of the other technologies and few people have concerns about medical and cleanliness issues when it comes to their fingertips.
Whenever Benchmark tests fingerprint readers, we receive a flurry of comments from manufacturers who want to stress that not all fingerprint scanners are equal. The problem has less to do with the technologies involved and more to do with the marketing messages that accompany the various products. Some promote fingerprint readers as a low-cost approach to eliminate the need to purchase and manage credentials. Others focus on the high security benefits of a biometric-based solution. The reality is that installers and integrators must carry out a thorough risk assessment of any site, understand the requirements and expectations of the end-user and specify an appropriate device that meets their demands.
When considering standalone devices, consideration must be given to the number of users that can be supported, and as to whether the readers will be used in verification or identification roles. The latter is a very important point as it will affect throughput times.
Verification requires multi-factor authentication, using a card, tag or code to identify the authorised individual, and the fingerprint is typically used to verify their identity. In effect, this means the reader will be carrying out a one-to-one comparison. If used as an identification device, the biometric reader simply scans the fingerprint and compares the results to a database of users.
It is common to see arguments for one approach over the other, but in real world applications it is more likely than not that the use of fingerprint readers of any type will slow down throughput. In verification mode, for example, the user is required to carry out a minimum of two actions: presenting a credential or entering the code, and undergoing a fingerprint scan. In identification mode, the process of checking a scan result against a large database will invariably increase time.
It is also important to consider where the biometric fingerprint-based readers will be located. If devices are used on external doors, they should be capable of consistent and reliable operation in a range of conditions. These may include users with very cold or damp hands. It should also be remembered that in the winter months staff members may have to put down any items they’re carrying (maybe onto wet ground) or maybe remove gloves to use a fingerprint-based reader.
Fingerprint scanning sensors are not all created equal! Some two-dimensional scanners simply will not work with damp or wet fingers. This is because the scanner simply creates a two-dimensional optical image of the fingerprint. When the finger is placed onto the plate of the scanner, any moisture expands and fills the ridges of the print. The resultant scan will simply show a black blob, leading to the potential rejection of an authorised user. As a result it should be expected that any units for external use can work with very cold or damp fingers.
Considerations for the selection of standalone fingerprint-based readers include ease of installation and a user-friendly approach to enrolment and the removal of users. However, the main concern is that the systems deliver reliable and consistent entry management whilst retaining a credible level of security.
The P7 from Anviz is a standalone fingerprint and RFID reader. It makes use of a 500 DPI sensor with a scanning area of 22 x 18 mm. The device can support up to 3,000 users using fingerprint, code and card combinations. In terms of transaction records, up to 50,000 events are stored in the integral log. The fingerprint scanner is claimed to be waterproof and abrasion resistant. The manufacturer states that it can be used externally with an optional waterproof cover. The standard unit is rated to IP53.
With regard to authentication, the P7 reader can make use of fingerprint, PIN and RFID card. As an additional option, a Mifare module is available. Identification options include fingerprint, credential, PIN, fingerprint plus PIN, fingerprint plus credential or PIN plus credential.
The reader is tamper protected, and also supports door status monitoring. Other access-based functions include time periods, group management and group access permissions. The latter elements are set via supplied software. Connections to the unit include RS485, TCP/IP and mini USB. The latter is used for connection to a PC if the software is required. The lock also features a Wiegand output. Power to the device and the door lock is via PoE.
The P7 is supplied with a paper quick start guide, a CD containing configurations software plus the full manual for the device, mounting screws and rawlplugs, a mini USB-to-USB connector and a modular connection cable for 12V DC power.
The cover of the reader is held on with a single standard crosshead screw. Removing this reveals two connector blocks plus a single jumper. There is also an RJ45 socket for PoE connectivity.
One point about this latter connection is that the cable will need to be terminated with a smallish boot. We tried this with several standard cables and almost all of them were a very tight fit. The result was that they either needed a high degree of pressure on the connector or a significant kink in the cable to allow the cover to close.
The main connections are made via the first terminal block. These will differ depending on the source of the power. Connections are made for a request-to-exit button, a door sensor and power to the lock. The jumper allows selection of either a 12V output or a volt-free contact.
Given that biometric readers are often specified for an enhanced degree of security, many end users may be concerned that the door lock connections are easily accessible from the reader. It is tamper protected, but unauthorised removal of the cover leads to a somewhat unobtrusive internal sounder generating an alarm tone. This is easily silenced, as we discovered within seconds. As such, it does raise a significant question over the suitability of the P7 for sites where security is of paramount importance.
Prior to fully mounting the unit, we carried out some basic configurations. These included setting the time and date, setting Admin users and carry out the initial set-up. The device was then powered down and fitted in position. On power up it had clearly retained the time and date, but the Admin users were no longer recognised. However, it did know it Admin users werte set as the menus could no longer be accessed. There is no reset option so you will need to connect the device via a PC to reinitialise the reader.
Connecting the reader is done directly via the USB connection. You can then search using the supplied software to find the device; you will need to enter various device parameters in order for it to be discovered. The process isn’t greatly intuitive, and we found general guidance on the Anviz website to be of more use than the manual. During the rest of the configuration process we became quite familiar with the initialise command, such were the number of issues we encountered!
When enrolling users, the process can be a little bit frustrating. The initial enrolment screen allows a user ID to be set. After this, the fingerprint is added. It will then default to adding another user and the user ID increments by one. However, each user can have two fingerprints plus a PIN and a card associated with their identity. In order to add these elements you need to reset the user ID each time. If you iss this the whole process quickly becomes a mess. When adding a number of users the need to constantly alter the ID number becomes quite annoying.
If you’re working from the device’s GUI, it can be frustrating, because the structure of the set-up process isn’t smooth or consistent. On a few occasions it took four or five attempts to achieve what should be simple tasks.
It is important to establish an Admin user from the very start, as the reader keypad allows free access the menus as well as allowing the device to be shut down.
Having suffered a few frustrations with getting fingerprints recognised, we would recommend ensuring that the Admin accounts can use fingerprint, PIN or a registered credential as options to allow access to the system.
The consistency of performance is average in internal applications, but accuracy becomes far more erratic if presented fingers are damp or very cold. Given the nature of British winters, this does make it hard to envisage the P7 as a credible tool for external locations.
The P7 does offer choices with regards to system functionality, but to be honest these do not make up for the negative aspects of the unit’s performance.
The securely encrypted reader supports template-on-a-card as standard. The system uses Mifare credentials and output is 32 bit Wiegand. Read range is quoted as 20 to 40mm.
The benefit of template-on-a-card as an element of biometric systems is that it frees up the reader from the requirement for on-board storage and processing. Also, throughput times are increased due to the fact that the system is only carrying out a one-to-one comparison as a verification process.
Connections to the device are via a captive fly lead; the electronics are potted and the unit is rated to IP65. Power input is 12V DC. For status indications the unit has multi-coloured LEDs and an audible buzzer.
The reader is supplied with an A4 installation guide and a separate sheet explaining enrolment for template-on-a-card. If you’re new to BQT solutions, and we daresay many of you will be, they are not that big on the provision of documentation. The support documents supplied with the reader are minimal, and the online information is sparse to say the least. It’s certainly an area that the company could improve on.
An example of this is the fact that the marketing materials, which again are fairly sparse on details, refer to options to use the reader as a single authentication device if required. However, our test unit was supplied configured for template-on-a-card deployment, and there was no information included on how this could be changed. The materials also indicate that the reader itself can be used for the storage of templates; again there is no documatary reference to this.
The rear of the reader, as already mentioned, is potted. There is a small aperture for the integral speaker. Aside from that, the fly lead is the only other item of interest. A mounting bracket is supplied with the reader; this is secured with two standard crosshead screws. In some applications, installers or integrators may wish to swap these for secure options.
The attached fly lead includes connections for power input, Wiegand output, RS-485 connections, two relays, buzzer and LED. It is worth noting that the RS-485 and relay connections are flagged as only for optional use.
Installation of the BioX-2 is straightforward. Once the unit is mounted the enrolment process can begin. This makes use of an Enrol Card which is used to instigate the process. A word of warning is that the BioX-2 doesn’t like to hang around! Unless you are fully au fait with the process is likely to timeout before you’re finished.
The first stage of the process is to present the Enrol Card to the reader. You will get both an audible and visual indication that the card has been accepted. The backlight in the fingerprint scanner will also illuminate. At this point you present the finger to be registered to the reader, and an indication is given that it has been captured. The user then presents a second finger, and another indication is given.
Finally, the credential which is being used to store the templates is presented to the reader. After a brief pause a last indication will show that the template has been written to the card. The process is relatively straightforward, and did work as expected on most occasions.
We did note that the occasional enrolment attempt did not go as smoothly as we’d hoped, and at times the process ended due to the device timing out.
There were also a few occasions when the option to add a second finger seemed to be omitted. We did wonder whether the reader was grabbing an optical image of the initial finger as it was withdrawn and classing that as a second finger.
Once the access control credentials were loaded with the biometric templates, operation was very straightforward. When the credential was presented, the biometric reader illuminated and access was granted with presentation of the appropriate digit.
In internal applications when users had relatively dry and warm hands, the reading accuracy was very good and there were only very rare incidents of false rejection. Verification time was swift, with the slowest part of the process being the initial recognition of the Mifare credential. In harsher conditions, the BioX-2 can cope with cold and dry hands, and had a good degree of accuracy with damp fingers. If they were wet rather than damp, invariably access was denied.
What the BioX-2 does lack is a degree of flexibility with regard to configuration. There’s not a lot that the installer or integrator can adjust, and even the volume of the integral buzzer is solely governed by an adhesive label on the speaker output!
The GSDs-1FP is billed as a fingerprint switch. It is a standalone reader supporting up to 100 users. The reader incorporates a six digit keypad for programming. This cannot be used for two-factor authentication.
The manufacturer claims the unit can be used in external or internal applications, and the device is rated to IP65. It allows door status monitoring, and several functions such as relay time, audible alerts and backlight options can be configured. The unit is claimed to be tamper resistant.
The GSDs-1FP requires a 12V DC power input. Current consumption is quoted as 100mA. The unit mounts onto a standard electrical back box. It is supplied with mounting screws and rawlplugs, and two security screws are included to secure the cover. However an appropriate driver is not included. You also receive a brief installation guide; this makes reference to a supplied varistor, but this was also not included in the package.
The rear of the unit is potted, and there are two screw type connector blocks which manage all cabling. The mounting brackets are each side of the unit, and these have covers to conceal the security screws.
The connector blocks are used for power input, door monitoring contact, request-to-exit button, external peripheral device and the door lock. There is also an interlock option to include a secondary device. Obviously, as was mentioned with the Anviz unit, having the door lock connection in an external unit will not be acceptable in applications where security is of importance.
The unit is billed as tamper resistant, but this seemingly alludes to the security screws as we were able to access the wiring without an alarm. The covers for the fixings contain magnets, and these obviously interact with an internal switch as certain reset functions cannot be completed with these in place.
With the unit installed, we powered up the GSDs-1FP. There is a default user code which opens the lock, but is disabled once a fingerprint is added. The end-user will need the engineer code in order to add and delete fingerprints.
The manual advises that the unit be defaulted to factory settings before commencing programming for the first time. The instructions to carry out this process are to enter the engineer code (obviously as this was the unit’s first power up, these were still the default settings), type in a reset code and then present a finger to confirm. As this process is carried out before initial programming, it seems that just the presence of a finger is required.
We followed the instructions but the outcome was not what we expected. The unit froze and generally became non-responsive. The user manual does include instructions to force a factory reset. This took a few attempts but was ultimately successful.
As the unit is fingerprint-only and has no log, system administrators will need to keep a written note of which individuals relate to which user locations. Without this, it’s not possible to remove a specific user’s access rights.
With regard to configuration, the GSDs-1FP can have the backlight switch to always on or only on after activity. This only affects the backlight for the six keys and requires one of the keys to be pressed for the backlight to come on. The fingerprint sensor and the status LED remain illuminated, and as general users do not need to interact with the keypad, it does not affect ease of operation. There is also an option to enable silent operation.
The relay output time for the lock can also be adjusted. This doesn’t use the most accurate process, in that the code is entered and the status LED flashes quite quickly until a finger is presented to the reader. Each flash should indicate one additional second of relay open time. There is a slight delay between presenting the finger and the incrementation ceasing. More of this in a moment.
We did find the GSDs-1FP a little sluggish when compared to the other units. On occasions it seemed to miss that a finger had been presented, and the time between presentation and relay activation was longer.
After configuration, the relay operation was so brief it was not possible to open the door. This was reset several times with ever-increasing times, but to no avail. In the end the only way to get a usable relay time was to reset the unit to default, which wiped out all other programming.
Reading was fairly consistent and accurate, even when rfingers were presented slightly off the sensor or askew. During testing we didn’t see any evidence of false accepts.
GSD promotes the unit as suitable for outdoor use. If fingers were wet when presented to the reader, the unit could not identify them. It wasn’t so much a case of false rejects rather than the finger simply not being recognised.
The P7 from Anviz has a number of negative points which make it hard to recommend as a credible security tool. Whilst it does offer a decent level of flexibility, that doesn’t count for a lot when the security of the unit can be compromised. It certainly isn’t ideal for use on external doors as users with damp or very cold hands will see erratic results.
Standalone devices will often make connections to the door lock accessible from an insecure area. It’s a known issue that often must be accepted, and the onus is on manufacturers to minimise any potential risk.
Sadly, with the P7, tampering is too simple. The tamper protection option isn’t great, and without knowledge of the device we worked out how to disable it in seconds. Because of these points we cannot recommend the P7 for use in security applications.
BQT Solutions: BioX-2
The BioX-2 offers credible and secure two-factor authentication utilising Mifare credentials and fingerprint-based scanning. The use of the template-on-a-card model works well, decreasing the reliance upon high-level processing at the reader or the need for direct connection to a central server. It also speeds up the rate of throughput.
Because the unit outputs data in the Wiegand format and connects to an access solution, there are no concerns about lock outputs in the device. As such, it represents a simple biometric reader for low to medium risk applications.
It does lack flexibility with regard to configurations for the installer or integrator, which for some could be a negative point if a greater degree of control is required. However, despite this shortcoming, it is recommended where basic fingerprint-based biometric access control is required.
The GSDs-1FP is billed as a fingerprint switch, and to be honest that is probably a fair appraisal of how it should be used. The fact that connections to the door lock are easily accessible makes it unsuitable for any application where security is of prime concern. Accessing the wiring blocks is too simple for it to be considered as a credible element of a risk-mitigation solution.
GSD has clearly focused on making the device configurations as simple as possible, as the only input mechanism is the integral six digit keypad. Also, feedback to any programming is limited to audible beeps and the status LED. Unfortunately this does mean the process isn’t as smooth as some might demand, and on several occasions we had to repeat the configurations in order for them to be accepted.
We did not manage to resolve the problem with the relay time, and as such that is an issue which the manufacturer needs to address. Additionally, we do not believe this unit would be suitable for use on an external door due to the failure to read damp or wet fingers. As such we cannot recommend the GSDs-1FP for security applications.